- Curly COMrades Deployed Alpine Linux Virtual Machines on Windows Hosts to Hide Reverse Shell Malware Activity
- VM traffic channeled through the host IP, avoiding traditional EDR and masking outbound communications.
- Targets included Georgian and Moldovan institutions; The operations align with Russian geopolitical interests.
Russian hackers known as Curly COMrades have been seen hiding their malware in Linux-based virtual machines (VMs) deployed on Windows devices, experts have warned.
Bitdefender security researchers, after analyzing the latest activities together with the Georgia Computer Emergency Response Team (CERT), discovered that Curly COMrades began attacking its victims in July 2025, when they executed remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface.
They then used the feature to download a lightweight Alpine Linux-based virtual machine containing multiple malware implants.
Russian attackers
The malware deployed in this campaign is called CurlyShell and CurlCat, both of which provide a reverse shell. The hackers also implemented PowerShell scripts that granted remote authentication and arbitrary command execution capabilities.
To hide the activity in plain sight, they configured the VM to use the default switch network adapter in Hyper-V. That way, all VM traffic went through the host’s network stack using Hyper-V’s internal network.
“Indeed, all malicious outbound communications appear to originate from the legitimate IP address of the host machine,” the researchers explained. “By isolating the malware and its execution environment within a virtual machine, attackers effectively evaded many traditional host-based EDR detections.”
The Curly comrades were first seen in 2024, and while their activities align with the interests of the Russian Federation, no direct link was found. In August 2025, Bitdefender reported that its victims included government and judicial organizations in Georgia and energy companies in Moldova. The victims of this incident were not named.
Bitdefender emphasized that there are no strong overlaps with known Russian APT groups, but Curly COMrades’ operations “align with the geopolitical objectives of the Russian Federation.”
Since Russia’s attention turned to Ukraine in 2014 with the annexation of Crimea, the countries on its eastern border have lost focus. Georgia, however, is in a similar position to Ukraine, with two regions declaring independence with the help of the Russian military: South Ossetia and Abkhazia. Therefore, it would make sense that Russia’s cyber spies would like to monitor neighboring countries and their diplomatic efforts.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
